Detect Confluence in Microsoft Sentinel
Adversaries may leverage Confluence repositories to mine valuable information. Often found in development environments alongside Atlassian JIRA, Confluence is generally used to store development-related documentation but may contain diverse categories of sensitive information including: policies and procedures, physical/logical network diagrams, system architecture diagrams, technical system documentation, testing/development credentials, work/project schedules, source code snippets, and links to internal resources. LAPSUS$ is documented to have specifically searched victim Confluence and JIRA instances to discover high-privilege account credentials as part of their data theft operations, making this a high-value target during the collection phase of an intrusion.
MITRE ATT&CK
- Tactic
- Collection
- Technique
- T1213 Data from Information Repositories
- Sub-technique
- T1213.001 Confluence
- Canonical reference
- https://attack.mitre.org/techniques/T1213/001/
KQL Detection Query
let BulkAccessThreshold = 40;
let SensitiveSearchTerms = dynamic([
"password", "passwd", "credential", "secret", "api key", "apikey",
"token", "vpn", "ssh", "private key", "aws", "azure", "gcp",
"database password", "db pass", "connection string", "bearer",
"service account", "ldap", "kerberos", "access key"
]);
// Detect bulk Confluence access and credential hunting via Microsoft Defender for Cloud Apps
CloudAppEvents
| where Timestamp > ago(24h)
| where AppName has_any ("Confluence", "Atlassian")
| where ActionType in~ (
"PageViewed", "ContentViewed", "SpaceViewed",
"AttachmentDownloaded", "ContentExported", "SpaceExported",
"PagePrinted", "SearchPerformed",
"page_viewed", "space_viewed", "content_exported",
"attachment_downloaded", "search_performed"
)
| extend SearchQuery = tostring(RawEventData.searchQuery)
| extend SpaceKey = tostring(RawEventData.spaceKey)
| extend PageTitle = coalesce(tostring(ObjectName), tostring(RawEventData.pageTitle))
| extend IsSensitiveSearch = (SearchQuery has_any (SensitiveSearchTerms))
| summarize
TotalActions = count(),
UniquePages = dcount(PageTitle),
UniqueSpaces = dcount(SpaceKey),
SensitiveSearchCount = countif(IsSensitiveSearch == true),
ExportCount = countif(ActionType in~ ("ContentExported", "SpaceExported", "PagePrinted", "content_exported", "space_exported")),
DownloadCount = countif(ActionType in~ ("AttachmentDownloaded", "attachment_downloaded")),
ActionTypes = make_set(ActionType, 8),
SampleTitles = make_set(PageTitle, 10),
SensitiveTermsFound = make_set(SearchQuery, 5),
FirstActivity = min(Timestamp),
LastActivity = max(Timestamp)
by AccountObjectId, AccountDisplayName, IPAddress, UserAgent
| where TotalActions > BulkAccessThreshold
or SensitiveSearchCount > 0
or ExportCount > 5
or (UniqueSpaces > 5 and TotalActions > 20)
| extend DurationMinutes = max_of(datetime_diff('minute', LastActivity, FirstActivity), 1)
| extend AccessRatePerMinute = round(toreal(TotalActions) / DurationMinutes, 2)
| extend ThreatIndicator = case(
AccessRatePerMinute > 10, "Automated scraping detected — exceeds 10 pages/min",
SensitiveSearchCount > 0, "Credential/secret hunting via search queries",
ExportCount > 5, "Bulk content export activity",
UniqueSpaces > 10, "Multi-space enumeration pattern",
TotalActions > 100, "High-volume bulk access",
"Elevated Confluence access above threshold")
| project
Timestamp = FirstActivity,
AccountDisplayName,
AccountObjectId,
IPAddress,
UserAgent,
TotalActions,
UniquePages,
UniqueSpaces,
SensitiveSearchCount,
SensitiveTermsFound,
ExportCount,
DownloadCount,
AccessRatePerMinute,
ThreatIndicator,
ActionTypes,
SampleTitles,
LastActivity
| sort by TotalActions descDetects Confluence data mining patterns via Microsoft Defender for Cloud Apps (MDA/MCAS) using the CloudAppEvents table. Identifies three primary threat patterns: (1) bulk page access above threshold suggesting automated scraping or systematic enumeration, (2) search queries containing credential/secret terms indicating adversaries hunting for exposed passwords and API keys, and (3) bulk export activity that may precede exfiltration. Aggregates per-user activity over 24 hours and computes access rate — rates exceeding 10 pages/minute indicate scripted enumeration rather than organic browsing. Requires an MCAS/MDA session policy configured to monitor Atlassian Confluence.
Data Sources
Required Tables
False Positives & Tuning
- Content migration projects or Confluence-to-Confluence migrations where automation accesses all pages systematically with high volume and speed
- Documentation teams or technical writers conducting content audits, broken link validation, or space-wide inventories across multiple spaces
- Enterprise search indexing crawlers (Elasticsearch, Algolia connectors) that periodically ingest Confluence content for full-text search
- New employees or contractors onboarding who rapidly read many documentation pages in their first week
- Automated backup and archival tools performing scheduled full-space exports on a recurring basis
- Developer tooling integrations (IDE plugins, CI/CD pipeline documentation steps) that programmatically read Confluence pages
Other platforms for T1213.001
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Confluence Space Enumeration via REST API
Expected signal: GET request to /rest/api/space visible in proxy logs with source host, user agent, and response bytes. Atlassian audit log records an API access event for the authenticated user. CloudAppEvents (if MCAS integrated) captures SpaceViewed or API access events per space returned.
- Test 2Confluence Credential Hunting via Search API (CQL)
Expected signal: Multiple GET requests to /rest/api/content/search with credential-related CQL query parameters visible in proxy logs and URL paths. Atlassian audit log records each SearchPerformed event with the query text. CloudAppEvents captures SearchPerformed events; the SensitiveSearchCount metric in the primary KQL query increments for each sensitive term.
- Test 3Bulk Page Content Extraction with Body Storage Expansion
Expected signal: GET request to /rest/api/content with expand=body.storage parameter in proxy logs. Significantly higher bytes-transferred value than a standard metadata-only request due to full page bodies. Atlassian audit log records content access events. File created in /tmp on attacker system.
- Test 4Confluence Space XML Export via Web Interface
Expected signal: POST to /dologin.action followed by GET to /spaces/exportspacezipxml.action visible in proxy logs. Large file download (ZIP archive) with high bytes-transferred. Atlassian audit log records a space export event under the authenticated user. CASB/MCAS captures SpaceExported or ContentExported event.
References (8)
- https://attack.mitre.org/techniques/T1213/001/
- https://confluence.atlassian.com/confkb/how-to-enable-user-access-logging-182943.html
- https://www.microsoft.com/en-us/security/blog/2022/03/22/dev-0537-criminal-actor-targeting-organizations-for-data-exfiltration-and-destruction/
- https://developer.atlassian.com/cloud/confluence/rest/v1/intro/
- https://confluence.atlassian.com/doc/confluence-audit-log-1017226528.html
- https://learn.microsoft.com/en-us/defender-cloud-apps/tutorial-shadow-it
- https://learn.microsoft.com/en-us/defender-xdr/advanced-hunting-cloudappevents-table
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1213.001/T1213.001.md
Unlock Pro Content
Get the full detection package for T1213.001 including response playbook, investigation guide, and atomic red team tests.